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to Achieve SK Capacity 
in the Multiterminal Source Model* 
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Abstract 

The focus of this paper is on the public communication required for generating a maximal-rate secret key (SK) 
within the multiterminal source model of Csiszar and Narayan. Building on the prior work of Tyagi for the two- 
terminal scenario, we derive a lower bound on the communication complexity, Rsk, defined to be the minimum 
rate of public communication needed to generate a maximal-rate SK. It is well known that the minimum rate of 
communication for omniscience, denoted by Rco, is an upper bound on Rsk- For the class of pairwise independent 
network (PIN) models defined on uniform hypergraphs, we show that a certain “Type <S” condition, which is verifiable 
in polynomial time, guarantees that our lower bound on Rsk meets the Rco upper bound. Thus, PIN models satisfying 
our condition are f?sK-maximal, meaning that the upper bound Rsk < Rco holds with equality. This allows us to 
explicitly evaluate Rsk for such PIN models. We also give several examples of PIN models that satisfy our Type S 
condition. Finally, we prove that for an arbitrary multiterminal source model, a stricter version of our Type S condition 
implies that communication from all terminals (“omnivocality”) is needed for establishing a SK of maximum rate. 
For three-terminal source models, the converse is also true: omnivocality is needed for generating a maximal-rate 
SK only if the strict Type S condition is satisfied. Counterexamples exist that show that the converse is not true in 
general for source models with four or more terminals. 


I. Introduction 

Maurer fT) and Ahlswede and Csiszar El independently introduced the problem of generating a secret key (SK) 
for a pair of terminals observing distinct, albeit correlated, components of a discrete memoryless multi-component 
source. The SK is to be generated by communicating interactively over a noiseless public channel, and it is to be 
kept secure from all passive eavesdroppers having access to the public channel. The problem was subsequently 
extended to a multiterminal setting by Csiszar and Narayan [3[. The Csiszar-Narayan model is now commonly 
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referred to as the multiterminal source model. The quantity of interest in these papers, and indeed in much of the 
literature that followed on this topic a, a, a, m, is the secret key capacity, i.e., the supremum of the rates of 
SK that can be generated within this model. In the two-terminal case, an exact characterization of the SK capacity 
can be found in the original works of Maurer JT] and Ahlswede and Csiszar El. Csiszar and Narayan El later gave 
an elegant single-letter expression for SK capacity in the general multiterminal source model. 

In all the aforementioned studies, the noiseless public channel is viewed as an unlimited free resource, and no 
attempt is made to restrict the amount of communication sent through it. Indeed, Csiszar and Narayan 0 Section 
VI] left open the question of determining the minimum rate of interactive public communication needed to achieve 
SK capacity. Tyagi 01 addressed this question in the two-terminal case, and gave an exact, although difficult to 
compute, characterization of the minimum rate of communication. In this paper, we extend some of Tyagi’s ideas 
to the multiterminal setting, and apply them to give an explicit answer to Csiszar and Narayan’s open question 
in some interesting special cases, namely, certain instances of the so-called pairwise independent network (PIN) 
model 0, 0. 

A. Our Contributions 

The primary focus of our work is on the following question: What is the minimum rate of interactive public 
communication required to achieve SK capacity in the multiterminal source model? We shall refer to the minimum 
rate of public communication as the communication complexit^ of achieving SK capacity, denoted by Rsk- Csiszar 
and Narayan’s original proof of the achievability of their single-letter expression for SK capacity 0 Theorem 1] 
used a (non-interactive) communication protocol that enabled “omniscience” at all terminals, which means that the 
communication over the public channel allows each terminal to recover the observations of all the other terminals. 
It follows from their results that Rsk is always upper bounded by Rco, the minimum rate of interactive public 
communication required to achieve omniscience at all terminals. Furthermore, Rco is given by the solution to a linear 
program 0 Proposition 1] (see £j} in Section|II]), so it can be computed efficiently. On the other hand, it is also well 
known that omniscience is not necessary for maximal-rate SK generation — see the remark following Theorem 1 
in 0 , and also the proof of Theorem 3.2 in 0 . Indeed, it is not difficult to find examples where Rsk Rco', our 
Example II V. 1 1 is one such. Thus, the sources for which we have Rsk = Rco constitute the worst-case sources in 
terms of communication complexity; we call such sources RsK-niaximal. We give a sufficient condition for a PIN 
model defined on a uniform hypergraph to be /i’sk- maximal, and show that PIN models satisfying this condition 
do exist. For these PIN models, it is easy to explicitly compute Rco, which then gives us an exact expression for 
Rsk- This is the first (non-trivial) explicit evaluation of Rsk to be found in the literature, for a multiterminal source 
model with more than two terminals. Interestingly, for PIN models defined on ordinary graphs (i.e., each edge is 
incident with only two vertices), our sufficient condition is also necessary, which gives us an exact characterization, 
decidable in polynomial time, of ordinary graph PIN models that are /fsK-maximal. 

1 Our use of “communication complexity” differs from the use prevalent in the theoretical computer science literature where, following 0, 
it refers to the total amount of communication, in bits, required to perform some distributed computation. 
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The main tool in our analysis is a lower bound on Rsk obtained via a multiterminal extension of Tyagi’s work g). 
Tyagi’s characterization of Rsk for two terminals J8] Theorem 3] was in terms of the minimum rate of an interactive 
common information, a type of Wyner common information (see l ilOl ). In order to appropriately generalize these 
ideas, we propose extensions of conditional mutual information and Wyner common information to the setting of 
more than two terminals. With these new multiterminal definitions in hand, we essentially follow the approach in |8] 
to derive a lower bound on Rsk in terms of the minimum rate of a multiterminal analogue of interactive common 
information. As in the case of Tyagi’s result for two terminals, an exact evaluation of this bound appears to be a 
difficult task even for simple source models such as Markov chains. However, unlike the two-terminal result, we 
are unable to show that our lower bound to Rsk is tight in general. Luckily, we are able to evaluate this bound 
exactly for certain PIN models as mentioned above, and the bound turns out to be tight in these cases as it matches 
the Rco upper bound. 

A secondary line of investigation carried out in this paper concerns the nature of the public communication 
protocols that achieve SK capacity. It is well known that, in order to generate a maximal-rate SK in the two- 
terminal model, it is sufficient for only one terminal to communicate [T), (2), (3). All this terminal has to do is 
convey its local observations to the other terminal at the least possible rate of communication required to do so. 
Thus, in the two-terminal setup, it is never necessary for both terminals to communicate to generate a capacity- 
achieving SK. Even in the case of more than two terminals, there are examples wherein not all terminals need to 
communicate — again, see the remark following Theorem 1 in j.3). However, as we will show in this paper, there 
are plenty of other examples where all terminals must communicate in order to achieve SK capacity. We coin the 
term “omnivocality” to describe the state when all terminals communicate. The problem of interest to us then is 
the following: Characterize the instances of the multiterminal source model in which omnivocality is necessary for 
maximal-rate SK generation. In this paper, we report some partial progress towards such a characterization. 

In 17J, Gohari and Anantharam considered the scenario where a subset of terminals is required to remain silent, 
and yet all the terminals must agree upon an SK using only the communication from terminals that are allowed to 
talk. They derived a linear programming formulation for the maximum SK rate achievable in this scenario. Observe 
that omnivocality is necessary for achieving SK capacity in a source model iff any one terminal not being allowed 
to communicate strictly lowers the maximum achievable SK rate for that model. This establishes a correspondence 
between the omnivocality condition and the Gohari-Anantharam scenario involving silent terminals. We use this 
correspondence to identify a sufficient condition under which omnivocality is necessary for achieving SK capacity 
in a source model with at least three terminals. We further show that in the case of exactly three terminals, our 
sufficient condition is also necessary. Based on this evidence, we had conjectured in ITTll that our condition was 
always necessary and sufficient. Unfortunately, a counterexample has been given by Chan et al. ca that shows 
that the condition is not necessary for four or more terminals |T2j- This has also been independently observed by 
Zhang et al. in fl3l . 
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B. Related work 

Besides the work of Tyagi ED that we have already mentioned, a few other recent papers have considered the 
SK generation problem from a communication complexity angle. The line of work that is perhaps most directly 
related to ours is that of Courtade and co-authors m, US), OBD, which considers the coded cooperative data 
exchange (CCDE) problem 03 with the goal of generating an SK. This is, in essence, a single-shot version of the 
SK generation problem defined on hypergraph PIN models. Here, by “single-shot”, we mean that each terminal sees 
only one realization of the component of the source available to it, as opposed to the Csiszar-Narayan setup within 
which each terminal sees a sequence of i.i.d. realizations. The single-shot SK capacity, i.e., the maximum size (as 
opposed to maximum rate) of an SK that can be generated, was evaluated in llT4l Theorem 6]. The capacity achieving 
protocol used is a one-shot version of the communication-for-omniscience protocol of 0. The follow-up works 
na and mi addressed the issue of determining the minimum amount (again, as opposed to rate) of communication 
required to generate an SK of a particular size. However, this is done under a additional linearity requirement on 
the communication, i.e., the communication is required to be a linear function of the source outputs. Theorem 11 of 
mi then gives an explicit characterization of what could be rightfully called the linear communication complexity 
of generating an SK of a given size, in terms of the minimum number of hyperedges of an “inherently r-connected 
subhypergraph”. It was further shown in lH6l Theorem 4] that there exist hypergraph PIN models for which non¬ 
linear communication protocols for achieving (single-shot) SK capacity require lower amounts of communication 
than the linear communication complexity. It should be emphasized that our results do not make any linearity 
assumptions on the public communication. 

In ED, Liu et al. study public communication for SK generation in another variant of the multiterminal 
source model. The authors consider m + 1 terminals observing correlated i.i.d. sources. One terminal acts as 
the communicator, sending information to each of the remaining m terminals via m different noiseless channels. A 
communication rate-key rate tradeoff region is identified for this model. However, the model is of somewhat limited 
interest to us because of the fact that each of the m different links have individual eavesdroppers, but co-operation 
is not allowed among them. Secrecy is no longer guaranteed if the eavesdroppers co-operate. Therefore, the problem 
setup is more of an amalgam of two-terminal problems rather than a truly multiterminal setup. 

Communication complexity has also been studied for two-terminal interactive function computation without a 
secrecy constraint. Braverman and Rao in fl9l Theorem II.3] gave an exact characterization of the communication 
complexity for two-party interactive function computation^ The communication complexity is shown to be equal to 
an information-theoretic quantity called the internal information cost. In a follow-up work, Braverman and Schneider 
provide an algorithm to compute the internal information cost for binary function computation — see Theorem 1.1 
of f20l . 

Turning our attention to the topic of omnivocality originally studied in our paper DU, Zhang et al. IH have 
recently obtained some new results. In particular, their Theorem 5 gives a sufficient condition for when a particular 

-To be precise, the quantity which we are calling communication complexity is referred to as amortized communication complexity in □3 
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terminal must communicate in any SK-capacity-achieving protocol. Our original sufficient condition for omnivocality 
HIT] Theorem 4] (Theorem [TO] in this paper) can now be obtained as a consequence of Zhang et al.’s Theorem 5. In 
addition, Theorem 4 of ifTHl provides a sufficient condition that guarantees the existence of an SK-capacity-achieving 
protocol within which a given terminal can remain silent. 

C. Organization 

The paper is organized as follows. In Section 071 we provide the definitions and preliminaries needed for the rest of 
the paper. In Section [Till we state and prove our lower bound on the communication complexity Rsk- In Section ITVl 
we identify a class of uniform hypergraph PIN models which are i?sK-maximal. Section [V] identifies a condition 
that makes omnivocality necessary for achieving SK capacity. The issue of verifying whether that condition holds 
for a given multiterminal source model is addressed in Section [VT] Finally, Section IyTH summarizes our results and 
presents some open problems. To preserve the flow of the exposition, the proofs of some of our results have been 
moved to appendices. 


II. Preliminaries 

We start by giving a mathematical description of the multiterminal source model of 0. Throughout, we use 
N to denote the set of positive integers. Consider a set of m terminals denoted by Ad = {1,2,... ,m}. Each 
terminal i £ Ad observes n i.i.d. repetitions of the random variable X, taking values in the finite set X,. The n 
i.i.d. copies of the random variable are denoted by Xf. For any subset A C Ad, X ,\ and X'f denote the collections 
of random variables (Xj : i £ A) and (X" : i £ A), respectively. The terminals communicate through a noiseless 
public channel, any communication sent through which is accessible to all terminals and to potential eavesdroppers 
as well. An interactive communication is a communication f = (/i, jg, • • •, f r ) with finitely many transmissions 
fj, in which any transmission sent by the vth terminal is a deterministic function of X" and all the previous 
communication, i.e., if terminal i transmits fj, then fj is a function only of X™ and f\,..., fj-i. We denote the 
random variable associated with f by F; the support of F is a finite set T. The rate of the communication F is 
defined as 7. loglAj. Note that f, F and T implicitly depend on n. 


Definition 1. A common randomness (CR) obtained from an interactive communication F is a sequence of random 
variables J^ n \ n£ff, which are functions of such that for any 0 < e < 1 and for all sufficiently large n, 
there exist Ji = Ji(Xf ,F), i = 1,2,... ,m, satisfying Pr[J\ = J 2 = • • • = J m = J^] > 1 — e. 


When J'"^ = X’f we say that the terminals in Ad have attained omniscience. The communication F which 
achieves this is called a communication for omniscience. It was shown in Proposition 1 of 0 that the minimum 

m 


rate achievable by a communication for omniscience, denoted by Rco, is equal to 
the region TZqo is given by 


min } Ri, where 

2=1 


n co = 


/ (Rh -R25 • • • j Rm ) • E Ri > H(X b \X B c),B C Afj. 


(1) 
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Henceforth, we will refer to Rco as the “minimum rate of communication for omniscience”. Further, it can be 
seen from the description of IZco that Rco < oo. More precisely, note that the point (If, II2 ...., R m ) defined by 
Ri = H(Xf) for all i lies in lZco, and hence Rco < J 2 iLi H{Xi) < 00. 

Definition 2. A real number II > 0 is an achievable SK rate if there exists a CR K { "f n £ N, obtained from 
an interactive communication F satisfying, for any e > 0 and for all sufficiently large n, I{K l ' n ' ) : F) < e and 
i H(K > R — e. The SK capacity is defined to be the supremum among all achievable rates. The CR K (n) is 
called a secret key (SK). 

From now on, we will drop the superscript (n) from both J ln> and K !n> to keep the notation simple. 

The SK capacity can be expressed as 0 Theorem 1] 


C(M) = H(X m )-Rc 0 . (2) 

Other equivalent characterizations of C (AA) exist in the literature. Csiszar and Narayan observed in (3] Section V] 
that since the linear program in ([]} has an optimal solution, by strong duality, the dual linear program also has the 
same optimal value. Using this fact, the expression for SK capacity can be rewritten as 

C{M) = H(X m ) - max V X B H(X B \X Be ) (3) 

AeA z —' 

BcB 

where B is the set of all non-empty, proper subsets of A4 , and A is the set of all fractional partitions defined on 
B. To be precise, any A = (\ B : B e B) € A satisfies X B > 0, for all B e B, and J2b-icb ^b = 1, for all i e M. 

It is a fact that H(Xm ) — max^eA J2bcB ^bH(X b \X B c) > 0 Ill] Proposition II]. 

Another characterization of SK capacity can be given via the notion of multipartite information defined as follows: 

\{X M ) 4nunA(P) (4) 

with A('P) = ppj—j- [Xm cv — H{X M )\ and the minimum being taken over all partitions V = {A\, A 2 , • • •, Af\ 

of M, of size t > 2. Note that 1(2^^) = rUfXj^f). The quantity I (Xj^) is a generalization of the mutual information 
to a multiterminal setting; indeed, for to = 2, we have I(Xi,X 2 ) = I(X i;A 2 ). Note that I(Xm) = 0 iff there 
exists a partition V = {A±, A 2 , ..., Ac} of Xf, with £ > 2, such that the random variables Xa 1 ,Xa 2 , ■ ■ ■, Xa t are 
mutually independent. It was shown in Theorem 1.1 of (22]| and Theorem 4.1 of lfl2l that 

C(M)=\{X m ). (5) 

For the rest of this paper we shall use C(X4) and I(Xm) interchangeably. 

The partition {{1}, {2},..., {to}} consisting of m singleton cells will play a special role in the later sections of 
this paper; we call this the singleton partition and denote it by S. The sources where S is a minimizer for 0 will 
henceforth be referred to as Type S sources. If S is the unique minimizer for 0 then we call such a source strict 
Type S. A connection between the optimal fractional partition in 0 and the optimal partition in 0 was pointed out 
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in $22\ . For any partition V of M define A^ as follows: A ^ ^for all B £ B and I{.} is the indicator 
function. It is easy to check that X^ 1 is a fractional partition on B, and A(V) = H{Xm)~J2beB X^' 1 H(Xb\Xb^). 
Hence, for any partition V* which is a minimizer in ([JJ. the corresponding X rp 1 is an optimal fractional partition 
for 

We are now in a position to make the notion of communication complexity rigorous. 


Definition 3. A real number R > 0 is said to be an achievable rate of interactive communication for maximal- 
rate SK if for all e > 0 and for all sufficiently large n, there exist (i) an interactive communication F satisfying 
h iogi^i < R + e, and (ii) an SK K obtained from F such that X.R[(K) > I{X M ) - e. 

The infimum among all such achievable rates is called the communication complexity of achieving SK capacity, 
denoted by Rsk- 


The proof of Theorem 1 in 0 shows that there exists an interactive communication F that enables omniscience 
at all terminals and from which a maximal-rate SK can be obtained. Therefore, we have Rsk < T’co < oo. Hence, 
in terms of communication complexity, the sources that satisfy /Ask = Rco are the worst-case sources. We will 
henceforth refer to them as R^-maximal sources. Such sources do exist, as will be shown in Sections [IV] and [VI] 


Tyagi gave a characterization of Rsk in the case of a two-terminal model j8j Theorem 3][j| The key to his 
characterization was the observation that conditioned on a maximal-rate SK K and the communication F from 
which K is extracted, the observations of the two terminals are “almost” independent: Xf |K, F) -A 0 as 

n -A oo. Thus, the pair (K, F) is a Wyner common information fTOl for the randomness at the terminals. Tyagi 
used the term “interactive common information” to denote any Wyner common information that consisted of a CR 
along with the interactive communication achieving it. 

We extend Tyagi’s ideas to the setting of m > 2 terminals. We first extend the definition of conditional mutual 
information to the multi terminal setting. We will refer to the multiterminal analogue of the conditional mutual 
information as the conditional multipartite information, and denote the conditional multipartite information of Xm 
given a random variable L by 1(X_m |L). As a natural extension of (Q}, we could define 1(Xm |L) as minp A("P|L), 

. Note that 


where A("P|L) = 


\v\-i 


1 E A ev H ( X ^)-H(X M \L) 

A(P|L) = H(X m |L) - ^ X^H(X B \X B o,-L). 


( 6 ) 


BaB 

Using this definition, we can indeed generalize Tyagi’s arguments to the case of m > 2 terminals and obtain a 
lower bound on Rsk- It turns out, however, that a stronger lower bound can be obtained by defining I(A_,vi |L) to 
be equal to A(V* |L), where V* is any partition that achieves the minimum in Q- One complication now is that 
there could be more than one choice of V* that achieves the minimum in ©, and two distinct choices of V* could 
yield different values for A(V*\\X). We simply choose the one that results in the largest value for I(A_vf |L). Thus, 


' [t should be clarified that Tyagi’s characterization works only for “weak” SKs, which are defined as in our Definition [2] except that the 
condition /(K;F) < e is weakened to T/(K;F) < e. Using our definitions, Tyagi’s arguments would only yield a two-terminal analogue of 
our Theorem [2] 
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we define 


I(.Xm|L) = max A(V*\L). (7) 

V * £ argmin.p A ( V ) 


The definition of I(Xjk|L) applies to any collection of jointly distributed random variables X m ; in particular it 
applies to the collection Xf^. To be clear. 


I(X 


M 


|L) = 


max 


P»gargminA(P) \V*\ — 1 


E H{ x a\V) - H{X n M \L) 


■A GV* 


We point out an important consequence of our definition of I(Xm |L). We have I(Xm |T) = 0 iff for any partition 
V* which achieves the minimum in ©, the random variables Xm are conditionally independent across the cells 
of V* given L. We are now in a position to extend the notion of the Wyner common information to a multipartite 
setting ^ 


Definition 4. A (multiterminal) Wyner common information (Cl w) f or Xm is a sequence of finite-valued functions 
i (n) =L^\Xf A ) such that T/(X£,|iW) — > 0 as n —>• oo. An interactive common information (Cl) for A'vt is 
a Wyner common information of the form L^ = ( J.F ), where F is an interactive communication and J is a CR 
obtained from F. 

Again, we shall drop the superscript (n) from lJ n> for notational simplicity. Wyner common informations L do 
exist: for example, the identity map L = X’J^ is a Cl w . To see that CIs (J,F) also exist, observe that J = X’m 
and a communication F enabling omniscience constitute a Clw, and hence, a CL 


Definition 5. A real number R > 0 is an achievable Cl w (resp. Cl) rate if there exists a Clw L (resp. a Cl 
L = ( J.F)) such that for all e > 0, we have -^H(L) < R + e for all sufficiently large n. We denote the infimum 
among all achievable Clw (resp. Cl) rates by CIw(Xm) (resp. CI(Xm))- 

The proposition below records the relationships between some of the information-theoretic quantities defined so 
far. 


Proposition 1. For a multiterminal source X'X, we have H ( Xm) > CI(Xm) > CIw(Xm) X HXm). 

Proof: The first inequality is due to the fact that there exists a Cl of rate H(Xm ). The second follows from 
the fact that a Cl is a special type of Cl via so that CUX M ) > Cl w (^ m ) ■ 

For the last inequality, we start by observing that for any function L of Xf^ and any partition V* of AA which 
is a minimizer in ©, we have 

I(*m) -I«|L) < I{X n M - L) - E! * 1 Pi(XbMXbc) (8) 

BClB 

= h( l) - e 

BeB 

4 In fact, there exist other ways of generalizing Wyner common information to the multiterminal setting (see da and El). 
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where ® follows from © and ([7]) and hence, 

—#(L) > \{Xm) — —I(X^|L). (9) 

n n 

Now, if L is any CIw of rate R , then by Definitions [4] and [5] for every e > 0, we have X H{ L) ^ c and 
il(X^j|L) < e for all sufficiently large n. Thus, in conjunction with 0, we have R + e > X H(L) > I(Xj^) — e 
for all sufficiently large n. In particular, R + e > l(X M ) — e holds for any e > 0, from which we infer that 
R > I( XhA). The inequality CIw(^m) > I( X_\ 4 ) now follows. ■ 

Finally, analogous to Definition [3] we have a definition of achievable rate of interactive communication required 
to get a Cl. 

Definition 6. A real number R. > 0 is said to be an achievable rate of interactive communication for Cl if for all 
e > 0 and for all sufficiently large n, there exist (i) an interactive communication F satisfying ^logl-Fl < R + e, 
and (ii) a CR J such that L = (/, F) is a Cl. We denote the infimum among all such achievable rates by Rqi- 

III. Lower Bound on R sk 

The goal of this section is to state and prove a lower bound on Rsk, which partially extends Tyagi’s two-terminal 
result (8] Theorem 3] to the multiterminal setting. 

Theorem 2. For any multiterminal source Xm, we have 


Rsk > Rci > CI(Xm) 


By Proposition Q] the lower bounds above are non-negative. 

The ideas in our proof of Theorem [2] may be viewed as a natural extension of those in the proof of J8] Theorem 
3]. We start with three preliminary lemmas. In all that follows, A* = f ‘ for any V* that achieves the maximum 
in the right-hand side of (Q; moreover. A* = (Af : B € B). 

Lemma 3. For any function L of Xwe have 

nI(X M ) = /(*£,! L) + H(L) - ]T \* B H{L\X &). 

BClB 


Proof: Consider L = L (Xjh). From (0, we have 

nI(X M ) = H(XfU) - E X *bH(X% |Xg c ) 
see 

= HiXfU.L) - E x * B H{XlMXlo) 

BeB 
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= ff(X£,|L) + ff(L)- Y,XbH{X^X% b )- E a b#(L|^) 

Bee bgb 

= TOIL) + ^(L) - E X *bH(UX^) 

see 

the last equality above being due to <(6]) and ([7]). ■ 


Lemma 4. For any CR J obtained from an interactive communication F, 

lim -J2\* b H(J\X^,F)=0. 

n—Joo n ^ J 

BeB 


Proof: Fix an e > 0. We have for all sufficiently large n, by Fano’s inequality, 

- E y B H(J\X^,F) < - E A b (h(e)+eH(X% e ,F)) 

n z —' n z ' 

BeB BeB 

<-E A s {Ke) + eH{X n M , F)) 
n bgb 

= -J2 X *b (h(e) + eH(X^)) 
n BeB 

= -E A s (h(e)+neH(X M )) 
n BeB 

< (2 m ~2)[h(e)+eH(X M )} (10) 

where h(.) is the binary entropy function, and (1 1 01 1 follows from the fact that, by definition, X* n < 1 and \B\ T" 2. 
Note that the expression in (ITOt goes to 0 with e, since h(e) —> 0 as e —> 0, and H(Xm) < logdljlil^l)- ■ 
The last lemma we need, stated without proof, is a special case of (4) Lemma B.l]. 

Lemma 5 ([:4j. Lemma B.l). For an interactive communication F we have 

H(F) > E X* b H(F\X^). 

BeB 

With these lemmas in hand, we can proceed to the proof of Theorem [2] 

Proof of Theorem^ The proof is done in two parts. In the first part, we prove that Rqi > ClfALvi) — I ( Xjvi). 
In the second part, we show that Rsk > Rci- 
Part 1: R CI > CI(Xj—I(Xj^) 

The idea is to show that l(Xj^) + f? CI is an achievable Cl rate, so that C\(X M ) < I(A\vf) + Rci- 
Fix an e > 0. By the definition of Rci, for all sufficiently large n, there exists an interactive communication 
F satisfying i log|^F"| < Rci + e/2 and a CR J such that L = (J,F) is a CI. We will show that ifF(J,F) < 
I(A’.v) j + i?ci + e for all sufficiently large n. This, by Definition [5] shows that I(A\vf) + Ra is an achievable CI 
rate. 
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Setting L = (J,F) in Lemma 0 we obtain 


h{ j.io- 

BeB 


-IpO*) = 


E A^£r(J|X3e,F)-I(X^|J,F) 

.BeB 


< e/2, 


( 11 ) 


where ( 1111 follows from Lemma 0 Re-arranging, we get 

~H( J,F) < I(X^) + - E A^(F|Xg c ) + e/2 

n n BeB 

^ T~ —-ff(F) + e/2 

the second inequality coming from Lemma [5] Finally, using the fact that T //(F) < T log| J 7 ! < i? CI + e/2, we see 
that 

-H(J,F) <I(X M ) + f?ci + e 
n 


which is what we set out to prove. 

Part II: Rsk > Rci 

Fix e > 0. From the definition of Rsk, there exist an interactive communication F and an SK K obtained from 
F such that, for all sufficiently large n, -i-log|J r | < Rsk + e and TiT(K) > I(Xm) ~ e - We wish to show that 
(K,F) is a Cl, so that by Definition [6] we would have /?sk > Rci- 
Setting L = (K, F) in Lemma [3] we have for all sufficiently large n, 


-I(X^|K,F) = l(X M ) - -H( K,F) + - E A^(F|X” 0 ) + - £ \%H(K\X^,¥) 
n n n n ' 

BeB BeB 

< I(X M ) - -H{ K|F) + e 

n 

< I(^Ow)--ff(K) + e + e 

n 


( 12 ) 

(13) 


< 3e, 


(14) 


where d follows from Lemmas 0 and [1] (fill follows from the fact that / (K: F) < e, while d is due to the 
fact that iiJ(K) > 1(Xm) ~ F - Thus, by Definition 0 (K.F) is a CI. ■ 

An issue with our Theorem 0 is that the bounds are difficult to evaluate explicitly, as we do not have a computable 
characterization of C\(Xm)- In addition to that, we do not know if the lower bounds of Theorem 0 are in general 
tight, in the sense of there being matching upper bounds. For the special case of the two-terminal model. Theorem 3 
of [|8] shows that the bound on J/sk is tight (albeit under a weaker notion of SK, as explained in Footnote 0. 
In the general multiterminal model, with m > 3, the best known upper bound on // S k is the minimum rate of 
communication for omniscience, Rco- In the following section, we identify a large class of sources where our lower 
bound equals Rco, i.e., the sources are //sk- maximal. 
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IV. I?sk-MAXIMALITY in uniform hypergraph PIN models 

This section focuses on a special class of sources called the PIN model, introduced in a and 0. A broad class 
of PIN models defined on uniform hypergraphs (which is a generalization of the PIN models of a and 0) is 
identified to be f?sK-maximal in this section. Briefly, a hypergraph PIN model is defined on an underlying hypergraph 
PL = (V,£) with V = A4, the set of to terminals of the model, and 8 being a multiset of hyperedges, i.e., subsets 
of VO For a hyperedge e having £ copies in the multiset £, we represent the different copies as ... ,ei. 

To keep the notation simple, if a hyperedge e has only one copy in £, we simply represent it as e instead of e\. 
Unless otherwise stated, we will assume that each hyperedge in £ has only one copy. For n G N, we define £ <rL ' 1 to 
be the multiset of hyperedges formed by taking n copies of each element of the multiset £. Associated with each 
hyperedge e G £ in> is a Bernoulli(l/2) random variable £ e ; the £ e s are all mutually independent. With this, the 
random variables V", i G M., are defined as Xf = (£ e : e G £and i G e). When every e G £ satisfies \e\ = t, 
we call PL a t-uniform hypergraph. We will show that any Type S uniform hypergraph PIN model is f?sK-maximal. 


Theorem 6. For a Type S PIN model defined on an underlying t-uniform hypergraph PL = (V, £), we have 
CI(X_m) = CIw{X_m) = H(Xm)> an d hence, Rsk = Rco = ^Ej |£|- 

Type S PIN models defined on /-uniform hypergraphs do indeed exist, as we will see in Section [Vi] Also, it 
is possible to efficiently determine if a given source Xm (not necessarily a PIN model) is Type S\ a strongly 
polynomial-time algorithm for this has been given by Chan et al. fl2l . In Section 1 V1 1 we present another useful, 
but inefficient, test for deciding the Type S property. 

The proof of Theorem [6] will require a technical lemma which we state below. 


Lemma 7. For any (-uniform hypergraph PIN model and any function L of X T we have 


J2HXf-,L)<tH(L). 


(15) 


i—l 


The lengthy proof of this lemma is deferred to Appendix lAl 


Proof of Theorem® Observe that A^ = —j^r, whenever \B\ = m — 1 and = 0, otherwise. Hence, for 
any Type S source XT, we have 


I^IL) > FTO|L) - -L-<TH(X n M \ {i } |JQ\L) (16) 

1 i—l 

using 0 and 0. Now assume that Xm arises from a PIN model defined on a (-uniform hypergraph PL = (V. £), 
and consider any function L of Xf^. This allows us to further simplify (fl6l >: 


1 IIL 

TOIL) > £TO) - H( L) - —— £ [(TO) - H{X?) - H(L\X?)] 

i—l 


5 Note that we allow £ to contain multiple copies of a hyperedge. In the graph theory literature, such a hypergraph is sometimes referred to 
as a “multi-hypergraph”. 
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n{t ~ m -mL) + -L-± Hm: 


TO — 1 

n(t-l)\£\ 


(17) 


2=1 


TO — 1 

n(t — 1 ) 
to — 1 


TO — 1 


£W;L)-ir(L) 


,fc=l 


(V|--iW) 

\ n y m — 1 


£l(Xf;L)-Lff(L) 


>^(|£|-W). 

m — 1 \ n J 


(18) 


the equality ( ITTI i using the facts that H(X^) = n|£| and 1 H{X^) = nf|£|, and | |T81 ) following from Lemma|7] 
We will now compute CT( X M ) using Proposition!]] The upper bound gives us Cl( X^') < \£ |, as II (X M ) = \£\. 
For the lower bound, let L be any Cliv so that for any e > 0, we have il(X^|L) <Mt for all sufficiently large 
n. The bound in (ITSl) thus yields -i-iT(L) > |<f7| —e for all sufficiently large n. Hence, it follows that CIw(X_m) > |£|- 
From the upper and lower bounds in Proposition!]] we then obtain CI w (X m) = CI(Xm) = //(A' vt ) ■ 

Now from Theorem[2]we have 7 ?sk > CI(Xm) — 1(Xm)- Hence, we have 


Rsk > \S\-I(X M ) = H(X m ) - I(X M ) = Rco, (19) 

where the last equality is from (0. But we also have /i’sk < Rco, as pointed out in Section [Til which proves that 
^sk = Rco- 

To obtain the exact expression for Rco, we note that by 0 and (0. Rco = H(X M ) - A(S) = H(X m ) - 
rii 1 | Y^iL i H{Xi). This simplifies to the expression stated in the theorem using the facts (already mentioned above) 
that H(X m ) = |£| and YZi H(X t ) = t\£\. • 

It turns out that for PIN models on graphs (i.e., t = 2), the Type S condition is also necessary for i?sK-maximality. 
It is possible that this holds for PIN models on f-uniform hypergaphs (with t > 3) as well, but we do not have a 
proof for this yet. 

Theorem 8. A PIN model defined on a graph is RsK-maximal iff it is Type S. 

We will prove the necessity of the Type S condition by showing that any graph PIN model that is not Type S 
has an SK-capacity-achieving protocol of communication rate strictly less than Rco- To do this, we need a few 
preliminaries. Consider a graph Q = (V. £) and define Q !n ' > = (V. £ <n ' > ) for any positive integer n. The spanning 
tree packing number of denoted by a{Q (”)), is the maximum number of edge-disjoint spanning trees of Q^ n \ 
It is a fact that lim —o(G^ n - 1 ') exists (see [[6] Proposition 4]); we denote this limit by cr(Q) and call it the spanning 

n—too 77 , 

tree packing rate of the graph Q. It was shown in (6j Theorem 5] that for a PIN model on Q, we have C(AA ) = ~a(Q). 
Therefore, by 0 we have Rco = H(Xm) ~ = \£\ — ~o(Q). We also have the following lemma, the proof of 

which is given in Appendix iBl 

Lemma 9. For a PIN model defined on a graph Q, we have Rsk < (to — T)Tf(Q). 
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Proof of Theorem^ The “if” part follows from Theorem [6] For the “only if” part, consider a PIN model on 
Q that is not of Type S. Using the fact that SK capacity equals the spanning tree packing rate, we then have via 

© 

a(g)=C(M)<A(S) = -^~. 

m — 1 

Therefore, \8\ > (m — l)a(Q), or equivalently, \S\ —a(Q) > (m — 2 )cr(G)- Since Rqo = \£ |— cr{G), we obtain 
Rco > Rsk via Lemma [9] ■ 

It is natural to ask at this point whether all Type S sources (not necessarily PIN models) are /I’sK-maximal. The 
answer turns out to be “No”, as shown by the following example. 

Example IV.l. Let W be a Ber(p) rv, for some p £ [0,1]: Pr[W = 1] = 1 — Pr[W = 0] = p. Let X\,..., X m be 
random variables that are conditionally independent given W, with 

Pr [Xi = 01 |W = 0] = 1 - Pr[Xj = 00 |W = 0] = 0.5 


and 

Pr[X t = 11| W = 1] = 1 - Pr [Xi = 10| W = 1] = 0.5 

for i = 1,2,... ,m. Denote by h(p) the binary entropy of p. 

It is easy to check that H(Xa) = |A| + h(p) for all A C A4, and H(Xi\Xj) = 1 for all distinct i,j £ A4. 
Therefore, all partitions V of Ad satisfy A(V) = h(p), and hence, I(Xjvf) = h(jp). In particular, Xm defines a 
Type S source. Furthermore, using ©, we have Rco = tn. 

We now show that R$k < Rco- Consider a Slepian-Wolf code (see m Section 10.3.2]) of rate H(X 1 IX 2 ) = 1 
for terminal 1. All terminals can recover X™ since iT(Xi|Xj) = 1 for all i £ {2, 3, ■ • ■, m}. Then, using the 
balanced coloring lemma Lemma B3] on X{\ an SK of rate H(Xi) — H(X 1 JX 2 ) = h(jp) can be obtained. 
Hence, Rsk < 1 < m = Rco- 

In fact, there exist non f?sK‘ max i ma l sources with S being a unique minimizer for ©. We provide one such 
example in Appendix |C] 


V. Omnivocality: When is it necessary? 

It is a well-established fact (see DO, 0) that to generate a maximal-rate SK within a two-terminal source model, 
it is enough for only one terminal to communicatelj So it is natural to ask whether this fact extends to the general 
multiterminal setting. In other words, for m > 3, is there always an SK generation protocol involving m — 1 or fewer 
terminals communicating that achieves SK capacity? If not, can we identify a class of sources where omnivocality, 


6 To be precise, the results in (TJ and (2) are based on a weaker notion of secrecy, where in Definition [ 2 ] the condition 7(K;F) < e is replaced 

by i/( K;F) < e. However, it can be shown that one terminal communicating suffices to achieve SK capacity for m = 2, in the stronger 

sense as in Definition [2| Terminal 1 uses a Slepian-Wolf code of rate H(X 1JX2) to communicate X ™ to terminal 2. Both terminals now use 

a balanced coloring (see [3] Lemma B.3]) on X ™ to get a strong SK of rate I(X 15X2) = I ( X ±, X2 ). 
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i.e., all terminals communicating, is required to achieve SK capacity? This section addresses these questions. The 
main result of this section says that if a source is strict Type S, then omnivocality is required for achieving SK 
capacity. 

Theorem 10. For a strict Type S source on in > 3 terminals, omnivocal communication is necessary for achieving 
SK capacity. 

There indeed exist sources which are strict Type S. We give a few examples of such sources in Section IyTI 
Theorem [TOl gives a sufficient condition for identifying sources where omnivocality is necessary to generate a 
maximal-rate SK. The next result shows that the condition is also necessary when m = 3, i.e., for any source on 
3 terminals which is not strict Type S , there always exists a non-omnivocal key generation protocol that leads to 
SK capacity. 

Theorem 11. hi the three-terminal source model, omnivocal communication is necessary for achieving SK capacity 
iff the singleton partition S is the unique minimizer for 1{Xjff) in ©. 

A conjecture was made in El that the necessity of omnivocality implies a strict Type S source for any m > 3. 
It turns out that the conjecture is incorrect. Chan et al. have found an explicit example lfl2l Example C.l] of a 
non-strict Type S PIN model on to > 3 terminals that requires omnivocality to achieve SK capacity. For ease 
of reference, we reproduce this example in Appendix [D] Theorem 5 in El indicates the existence of other such 


examples. 


We now turn to the proofs of Theorems [TO] and [TT| We prove the former theorem first. The main technical result 


used in the proof is the SK capacity with silent terminals by Gohari and Anantharam in |7l Theorem 6]. More 


precisely, suppose we restrict ourselves to SK generation protocols where, only an arbitrary subset of terminals 
T C Al is allowed to communicate. We denote the maximum rate of SK that can be generated by such protocols 
by It(Xm)- Then we havj^ 


Theorem 12 (Theorem 6, |7|). For any T C A4, It{X_m) = H{Xt) — R^ un \ where = min Ri, with 



( 20 ) 


Note that if I(Xm) > It(Xm) for all T C M of size |Tj = m — 1, then omnivocality is necessary for achieving 
SK capacity. Thus, our approach for showing that omnivocal communication is needed in certain cases is to use 
Theorem fl2l to prove that I(Avt) > It(-Vm) for all (to — l)-subsets T C Xi. For this, we will need a lower 


bound on R 1 ^" 11 ' 1 when |Tj = to — 1. To prove this bound, we make use of a simpler characterization (than that 


7 Theorem 6 of (7) was based on the weaker notion of secrecy pointed out in Footnote |6| However, it can be easily verified that the result is 
still valid for the stronger notion of secrecy as in Definition [2] 


July 13, 2015 


DRAFT 


16 


given in Theorem IT2l> of the rate region TZt when 7’| = rn — 1. 

Lemma 13. Let T = A4\ {u} for some u £ A4. The rate region 7 Zt is the set of all points ( Ri, i £ T) such that 

^Ri> H{X b \X t \ b ) V B CT,B ^0, and (21) 

ieB 

Y, R i>H{X T \X u ). 

i&T 


Proof: Observe that TZt is defined by constraints on sums of the form Y^iaB' Ri for non-empty subsets B' C T. 
When B' = T, the constraint is simply JA gT R t > H(Xt\X u ). 

Now, consider any non-empty B' C T. From Theorem[l2] we see that constraints on Ri arise as constraints 

on YlieBnr R t in two ways: when B = B' and when B = B' U {u}. Thus, we have two constraints on JA gS , R P 

Y,Rr>H(X B ,\X M \ B ,), 

i£B' 

obtained when B = B', and 

Ri > H{X B i \X t \b'), 

i£B' 

obtained when B = B' U { u }. The latter constraint is clearly stronger, so we can safely discard the former. ■ 
We can now prove the desired lower bound on R B un \ 

Lemma 14. Let rn > 3 be given. For T C M with 7’ = rn — 1, we have 

jer 


Proof: Consider any T C Xi with \T\ = m — 1. For each j £ T, let Bj = T \ {j}. Now, let (Ri, i £ T) be 
any point in TZt- Applying (|2TT > with B = Bj, we get 

H (X T \ {j} \Xj), 

i^Bj 

for each j £ T. Summing over all j £ T, we obtain 

1 ^)- ( 22 ) 

ieTiGBj jeT 

Exchanging the order of summation in the double sum on the left-hand side (LHS) above, we have 

Ri = Ri = ~ 2)^ = ( m - 2 ) Ri • 
jeTieBj ieT jeBi ieT ieT 
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Putting this back into (f22t . we get 

iGT jeT 

Since this holds for any point (Ri,i £ T) £ 7Zt, the lemma follows. ■ 

For the proof of Theorem [TOl we need some convenient notation. For T C M, \T\ = m — 1, define At(S) = 

Lemma 15. For m > 3 terminals, if the singleton partition S is the unique minimizer for I (Xj^i), then At(S) < 
A(S) for all T C M with \T\ = m — 1. 

Proof: For any u £ M, consider T = M\ {it}. Using A (S) = H{Xf) — H{Xm)\ and the 

definition of A t{S) above, it is easy to verify the identity 

^LA(S) = A T (S) + ^I(X U -,X T ). 

Re-arranging the above, we obtain 

A t(S) - A(S) = ^=s[A{S) - I{X U -X T )] 

=-±^[A{S) - A{V)\, (23) 

where V is the 2-cell partition {{?/}. 7'} of JA. By assumption, the expression in (l23l > is strictly negative. ■ 
With this, we are ready to prove Theorem flOl 

Proof of Theorem 17771' We will show that I (Xm) > It (Ax) for any T C M with \T\ = m — 1. First, note 
that since S is, by assumption, a minimizer for i(4j. we have I(A_vi) = A(S). Next, by Theorem fl2l and Lemma fl4l 
we have 


I t(X m ) < H{X T ) - ^ £ H(X t \ {i} \X z ) 

i&T 

= k m - 2)H(X t ) - £[ff(*r) - H(Xi)] 

ieT 

= A t(S). 

Therefore, It (Ax) A Ar(S) < A(S) = I(Ax)> the second inequality coming from Lemma fl5l ■ 

We conclude this section with the proof of Theorem [TT] Note that when rri = 3, Q reduces to 

I (X M ) = min{7(X {li2} ;X 3 ), J(X {li3} ; A 2 ),/(X {2j3} ; Ar), A(«S)}, (24) 

and so, the unique minimizer condition is equivalent to 

A(S) < min{J(A {1 i 2} ;A 3 ),/(A {1j3} ; A 2 ),/(A {2>3} ; A,)}. 
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Note also that A(S) = (X x ) + H(X 2 ) + H(X 3 ) - H(X {1 ^ 3} )]. 

Proof of Theorem m The “if” part is by Theorem 1101 For the “only if” part, suppose that A(<S) > 
min{/(X { 1 2 }; X 3 ), J(X{ li3 }; X 2 ), I(X { 2 3 }; Xi)}. Then, A(«S) is either (a) greater than or equal to at least two 
of the three terms in the minimum, or (b) greater than or equal to exactly one term. Up to symmetry, it suffices to 
distinguish between two cases: 

Case I: A(S) > max{/(X {lj 2 } ; X 3 ), J(X {1 , 3} ; X 2 )} 

Case II: mi n{J(X {li3} ; X 2 ), I(X {2i3} ; X 3 )} > A(S) > J(X {1>2} ;X 3 ) 

In each case, we demonstrate a capacity-achieving communication in which at least one terminal remains silent. 

We deal with Case I first. Observe that A (S) can be written as \ [I{X 1 ; X 2 )+/(X { 1 2 y, X 3 )]. Thus, the assumption 
A(iS) > /(X{ lj 2 };X 3 ), upon some re-organization, yields /(X 15 X 2 ) > Z(X{i 2 \; X 3 ), i.e., 

I(X i; X 2 ) > J(X 1 ;X 3 ) + /(X 2 ;X 3 |X 1 ). (25) 

Similarly, using the identity A(«S) = -y[/(Xi;X 3 ) + J(X{i 3 j; X 2 )] in the assumption A (S) > I(Xy 3 y, X 2 ), we 
obtain /(Xi;X 3 ) > I(X {lt3 yX 2 ), i.e., 

/(Xi;X 3 ) > I(Xi;X 2 ) + /(X 2 ;X 3 |Xi). (26) 


The equalities in d25l > and (126b can simultaneously hold iff 


Z(Xi;X 2 )=/(Xi;X 3 ) and 


J(X 2 ;X 3 |X 1 ) = 0. 


(27) 


From (l27l >. it is not hard to deduce that the quantities /(X{ 12 j;X 3 ), / (X{ L3 |; X 2 ) and A (S) are all equal to 
J(X i; X 2 ), and /(X {2 3 } ;X 1 ) = /(X i; X 2 ) +/(X i; X 3 |X 2 ) > J(X i; X 2 ). In particular, I(X {1 , 2i3} ) = J(X i; X 2 ). 

From the first equality in (l27l >. we also have H{X i|X 2 ) = H(X i|X 3 ). Now, it can be shown by a standard 
random binning argument that there exists a communication from terminal 1 of rate II(X\ |X 2 ) = H(X i|X 3 ) 
such that X" is a CR. It then follows from the “balanced coloring lemma” 0 Lemma B.3] that an SK rate of 
H(X 1 ) — H(X i|X 2 ) = J(Xi;X 2 ) is achievable. Thus, the SK capacity, I(X { 1 j2 , 3 }) = Z(Xi;X 2 ), is achievable 
by a communication in which terminals 2 and 3 are both silent. 


Now, consider Case II, in which we obviously have I(X{ 3j2 , 3 }) = Z(X { 3 2 };X 3 ). The idea here is to show that 
a valid communication of rate H(X{i 2 y\X 3 ) exists in which terminal 3 is silent and (X". X'f ) is a CR. Given 
this, an application of 0 Lemma B.3] shows that an SK rate of H(Xr 12 y) — i7(X| 12 }|X 3 ) = /(Xr 12 i;X 3 ) is 
achievable. Thus, there is a I(X{! 2j3 })-achieving communication in which terminal 3 is silent. 

To show that the desired communication exists, we argue as follows. For i = 1,2, let 11, be the rate at which 
terminal i communicates. A standard random binning argument shows that an achievable (If, Ii 2 ) region, with 
terminal 3 silent, for a communication intended to allow recoverability of (X™, X 2 ) as CR at all terminals is given 
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(28) 


Now, using the assumption in Case II that A(«S) > I(X{ l 2 y,X 3), we will prove that the inequality 

ff(Xi|X 2 ) + H(X 2 \X 1 ) < H(X {m \X 3 ) (29) 

holds. It would then follow from (f28l> that there exist achievable rate pairs (Ri, R 2 ) with Ri+R 2 = H(Xy 2 ^\X 3 ), 
thus completing the proof for Case II. 

So, let us prove (29). We have A(S) = \[H(X{) + H{X 2 ) + H{X 3 ) - H(X {hm )] and I(X {m ;X 3 ) = 
H(X{ 1 , 2 }) + H(X 3 ) — H(X{i j 2 , 3 })- Using these expressions in the inequality A (S) > I{Xy^y,X 3 ), and re¬ 
arranging terms, we obtain 

\rnXJ +H(X 2 ) - 2 H(X {h2} )\ >\[H{X 3 ) - H(X W} )\, 

which is equivalent to < [29b . This completes the proof of the theorem. ■ 

VI. Finding the minimizing partition 

The condition that the singleton partition be a unique minimizer for I(X_m) plays a key role in the results of 
Section [IV] and [V] Thus, it would be very useful to have a way of checking whether this condition holds for a 
given source A'_,vf, m > 3. The brute force method of comparing A (A) with A('P) for all partitions V with at least 
two parts requires an enormous amount of computation. Indeed, the number of partitions of an m-element set is 
the mth Bell number, B m , an asymptotic estimate for which is (logu>) 1 / 2 w; m- ' u 'e 1i ', where w = [1 + o(l)] is 

the solution to the equation m = w ]og(w; + 1) Il28l Example 5.4]. The proposition below brings down the number 
of comparisons required for verifying the unique minimizer condition to a “mere” 2 m — m — 2 . 

For any non-empty subset B = { b\ , b 2 ,..., b | B |} of M with \B\ < m, define V B = {B c , {bi}, {b 2 },{&| B |}} 
to be the partition of Xi containing B \-\-1 cells, of which \B\ cells are singletons comprising the elements of B. 
Note that if \B\ = m — 1, then Vb = S. 

Proposition 16. For m > 3, let il = {B C M. : 1 < \B\ < m — 2}. The singleton partition S is 

(a) a minimizer for l(Xj^) iff A(S) < A(V B ) V B £ Q; 

(b) the unique minimizer for Y(Xm) iff A(«S) < A(V B ) VB € Cl. 

There is in fact a strongly polynomial-time algorithm (see lfl2l ) for determining the minimizing partition of (|4). 
However, Proposition [16] is better suited to the purposes of our work. 

Proof of Proposition 176} We prove (b); for (a), we simply have to replace the *>’ in ([301 below with a *>’. 
The “only if” part is obvious. For the “if” part, suppose that A(<S) < A(V B ) for all B C M. with 1 < \B\ < m— 2. 
Consider any partition V of M, V f- S, with \P\ > 2. We wish to show that A{V) > A (S). 
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The following identity can be obtained from the definition of A(V) by some re-grouping of terms: 

£ 1^1 A (Pa*) = (\V\~1)[A(V) + (m - l)A(S)]. 

AGV 

Thus, we have 

A(P) = l^ c l A PM - (™ ~ i)A(S) 

> £|A c | A (5)-(m-f) A (5) (30) 

' ' A&V 

= mA(5)-(m-l)A(5) = A(5). (31) 

The inequality in (f30b is due to the fact that at least one A £ V is not a singleton cell, so that Va c ^ S, and hence, 
A(Ta c ) > A(«S) by assumption. To verify the first equality in (OH . observe that ^2 ^-p\A c \-= ^Aev^i^A 1 = 
J2ZiE A eV:i^ = m(\Vhl). ■ 

Next, we apply Proposition [j~6l to some interesting special cases. Random variables X\. X 2 ,..., X rn , m > 2, are 
called isentropic if H(X A ) = H(Xb) for any pair of non-empty subsets A. 13 C Jv[ having the same cardinality. 
Equivalently, X\,... ,X m are isentropic if, for all non-empty A C Xi, the entropy // (X A ) depends only on ,4|. 
As a result, for disjoint subsets A, B C Xi, conditional entropies of the form H(X A \Xg) depend only on A\ and 
\B\. 

Corollary 17. Isentropic random variables form a Type S source. 

The proof involves checking that A(«S) < A (Vb) holds for all B £ O, so that the result follows from 
Proposition fl6l a). We defer the details to Appendix [E] 

There are many examples of isentropic random variables. For example, exchangeable random variables (cf. j29)) 
are isentropic. (Random variables X i: X 2 , ■ ■ ■, X m are exchangeable if for every permutation 11 : X4 -a A4, 
the distribution of A n(1 ), A n ( 2 )i • • ■, ^n(m) remains unchanged.) A more relevant example for us is the PIN 
model defined on the complete t-uniform hypergraph on m vertices, K m t . More precisely, the complete t-uniform 
hypergraph K m ,t = (V, £) has V = A4, and exactly one copy of every f-subset (i.e., subset of cardinality t ) of M 
belongs to E. It is straightforward to check that the random variables X \. X 2 ,..., X rn in the PIN model on K rn j 
are isentropic, and hence the source is Type S. In fact, we will show below that this PIN model is strict Type S, 
and therefore it satisfies the hypothesis of Theorem [TO] For this and other results proved in the rest of this section, 
it will be useful to state a specialization of Proposition fl6l to hypergraph PIN models. 

In the case of hypergraph PIN models, for any B £ fl, A (Vb) can be written as A (Vb) = ^ ’ 

where Ps(e) is the number of parts of the partition Vb intersecting with e. On the other hand, A (S) = A—LLA. 
Hence, Proposition [16] can be rewritten for the PIN model as 

Corollary 18. For a PIN model described on a t-uniform hypergraph, the singleton partition S is 
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(a) a minimizer for l(X M ) iff ^j 1 ^ 1 < 11 V B G Q; 

(b) the unique minimizer for I {Xm) iff —~ V.B £ Q. 

Corollary 19. The PIN model on K mf is strict Type S. 

The proof is a relatively straightforward matter of checking that the condition in Corollary fl 8 lb) holds — see 
Appendix [E] for the details. 

We next give an example of a non-isentropic source which is strict Type S. Consider the PIN model defined on 
a k -regular fc-edge-connected graph (A = 2). Formally, a graph Q = (V, £') is called k-regular if every vertex in 
v £ V has degree k, i.e., there are exactly k edges in £ which are incident with the vertex v. A graph is called 
k-edge-connected if deletion of any fc-subset of £ does not disconnect the graph, but there exists at least one 
(fc + l)-subset of £ the removal of which disconnects the graph. 

Corollary 20. A PIN model on any k-regular, k-edge-connected graph is strict Type S. 

The proof is again an application of Corollary |T 8 jb); the details are in Appendix [E] 

The m-cycle C m is a special case of a A;-regular and fc-edge-connected graph, with k = 2. Formally, the m-cycle 
C m = (V, £), is a graph with V = Ad and £ = + 1}}^ ]J{{ 1 ,to}}. The complete graph K m g is 

another example of a fc-regular fc-edge-connected graph with k = m — 1. There is in fact a broad class of fc-regular 
fc-edge-connected graphs called the Harary graphs (see | f30l and |3ij) of which C m and K m ,2 are special cases. 

So far, the only example we have seen of a strict Type S source on a A-uniform hypergraph, with t > 2, has 
been the PIN model on the complete A-uniform hypergraph, K m ,t- It is natural to ask whether other classes of PIN 
models on A-uniform hypergraphs (A > 2) exist which are strict Type S. The answer is ‘yes’. We will construct 
a class of uniform hypergraphs with A = 3, such that the PIN models on them are strict Type S. To do this, 
we introduce the Steiner triple system (STS) defined on the set Ad. An STS on Ad is a collection of 3-subsets 
of A4, which we will denote by STS(Ad), such that any pair of elements from Ad is a subset of exactly one 
element of STS(Ad). A trivial example of an STS is to = 3 and STS(Ad) = {{1,2,3}}. It is a fact that such 
collections indeed exist as long as gcd(m — 2,6) = 1 (see lf32l Theorem 2.10]). For example, consider m = 7. 
Then, STS(Ad) = {{1, 2,4}, {2,3, 5}, {3,4,6}, {1, 5,6}, {2,6, 7}, {1,3, 7}, {4, 5, 7}}. Now, consider the 3-uniform 
hypergraphs TAsts = (Ad, STS (Ad)), for all m such that STS(Ad) exists. We will show that a PIN model defined 
on Hsts with m > 3 is strict Type S. 

Corollary 21. A PIN model on Hsts with to > 3 is strict Type S. 

Again, the proof of the corollary is given in Appendix |E] 

Corollaries [19] | 20 ] and | 2 T] show that the PIN models on K m ,t, fc-regular fc-edge-connected graphs, and TLsts 
satisfy the hypotheses of both Theorems [ 6 ] and [lO] Thus, for these sources to achieve SK capacity, an omnivocal 
communication is required. Also, the minimum rate of communication required is Rco- Hence, in terms of public 
communication, these are the worst-case sources. 
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VII. Concluding remarks 

This paper dealt with two important aspects of the public communication required to generate maximal-rate SKs 
in the multiterminal source model, one being the communication complexity Rsk, and the other being omnivocality. 
By extending the arguments in [ 8 j to the setting of multiple terminals, we derived a lower bound on Rsk in terms 
of an information-theoretic quantity called the (multiterminal) interactive common information. In the two-terminal 
case, it was shown in ED that this bound is always tight, albeit under a weaker notion of secrecy. Proving such a 
result for the general multiterminal case remains an open problem. 

The minimum rate of communication for omniscience, Rco, is still the best known upper bound on -Rsk- We 
proved that uniform hypergraph PIN models satisfying a certain “Type 5” condition are RsK-maximal. In other 
words, for these PIN models, Rsk is equal to Rco- It was also shown via counterexamples that the Type S 
condition is not sufficient to guarantee RsK-maximality for an arbitrary multiterminal source model. A complete 
characterization of RsK-maximal sources is an interesting open problem. 

It should be pointed out that neither our lower bound nor the Rco upper bound takes into account the fact that 
the public communication is allowed to be interactive. It is possible that incorporating this information somehow 
leads to better bounds on Rsk- 

The problem of characterizing communication complexity in the multiterminal source model is the stepping stone 
towards two bigger problems of interest. One is to characterize the communication rate region required to achieve 
SK capacity. The second problem is that of determining the minimum rate of communication required to generate 
an SK of any arbitrary rate less than or equal to SK capacity. Both these questions appear to be difficult to answer 
at this point. In fact, these questions are still open for the two-terminal case. It should be pointed out that these 
questions have been answered for a model similar to the multiterminal source model in lfT8l . However, that model 
has severe constraints on the eavesdroppers, which makes it somewhat less interesting. 

On the issue of omnivocality, we proved that for all strict Type S sources, omnivocality is needed to achieve SK 
capacity. The converse of this fact, i.e., omnivocality is required only if the source is strict Type S turns out to be 
true for three terminals, but no longer holds for four or more terminals. A more general problem along these lines 
is, given an arbitrary multiterminal source model, what is the minimum number of terminals that must participate 
in a public communication to generate a maximal-rate SK for the entire set of terminals? The answer to the “dual” 
of this problem, i.e., what is the maximum rate of SK that can be generated when a fixed number of terminals 
remain silent, is already known from the work of Gohari and Anantharam G). 

Appendix A 
Proof of Lemma[7] 

First we state two lemmas which we will require for the proof. 

Lemma 22. For independent random variables X, Y and W, and any other random variable Z, we have 

I(X-Z\W) < I(X-Z\W,Y). 
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Proof: This follows by expanding /(X; Y, Z\W) in two different ways using the chain rule, and noting that 
I{X-Y\W) = Q. ■ 

Lemma 23. For independent random variables X and Y, and any other random variable Z, we have 


I{X-Z) + I{Y-Z)<I{X,Y-Z). 


Proof: By Lemma H3 we have /(X; Z) < /(X; Z\Y), and hence, /(X; Z) + I(Y; Z) < /(X; Z\Y) + 
I(Y-Z) = I(X,Y-Z). m 


We first show that it is enough to prove Lemma [7] for the complete f-uniform hypergraph PIN model K rnt 
(refer to Section [VT] for details on K rn t ) and the corresponding source Xj^. Consider any f-uniform hypergraph 
PI = (V, £) with |V| = m and the corresponding source XL,, and fix a function L of XL,. For any f-subset e of 
V, define r(e) to be the number of times it occurs in the multiset £, and call r = max r(e). Now, construct a 

eCV:|e|=t 

new source as follows: To the multiset add n{r — r(e)) copies of each f-subset e of V. Associate with each 
of these newly added subsets independent Ber(l/2) random variables, which are independent of the pre-existing 
Ber(l/2) random variables as well. Observe that the source thus constructed is none other than Xff. Moreover, we 
clearly have YliL i L) > Y2iLi I(X";L), and hence it is enough to show that ffJ(L) > YYILi -TL). 

For the rest of proof we will take Xj{, to be the source described on X m t . We also have J(XJ^;L) = iT(L) 
from the fact that L is a function of XWe now show that the PIN model on K,„ j satisfies 

m 

E I((€ : * G e, e G £); L) < f /((£ : e G £); L), (32) 

2=1 

where represents the collection of the n £ e ’s associated with the n copies of the hyperedge e in £ <n> . 

For any i G A4 , let £, denote the set of hyperedges containing i, so that the left-hand side of (l32l > can be expressed 
as YYiL i : e S £i); L). Now, we write £i as a union of two disjoint sets £>j and £^ i , i.e., £i = £>, {J£%i- 

The set £>, is the subset of £, containing no terminals from {1, 2,— 1}. The set £y, is thus the subset of £, 
containing at least one terminal from {1,2,...,* — 1}. Observe that we have |£>i|= (ZYi) for 1 < i < to — f + 1 
and \£>i\= 0 for m — t + 2 < i < m. Therefore, 


m-t -\-1 


:ee£);L) 

2=1 

= I ((C : e € £>i) ; L) + 53 / ((C : e e £^) ; L) + I ((£ : e G £>f) ;L| (£ : e € £*)) 

2=2 L 

m 

+ E 

( / \ \ 

f E ee£^): L) 


i=m— 1+2 


m-t -\-1 


<im ■ e 6 £>i) ;L) + E 1 I (C : e G £>i) T ( £ : e G |J % 

j<i 


2=2 


2=2 
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m 

+ E H^-eeSi)-, L) 

i=m—1-\-2 


(33) 


ra—i+1 m 

= J((£:eG£); L)+ E 1 ((C = e 6 £*) ; L ) + E ^ ((£? : e G £,); L) (34) 

i—2 i—rn —£+2 



where (f33l) follows from Lemma 1221 Note that for t = 2, (132} follows directly from < 134b : by virtue of Lemma [23l 
we have Q + R < P, so that the right-hand side (RHS) of ( [34} is at most 2 P, as desired. However, the case of 
t > 2 is not as simple and needs further work. 

To achieve the RHS of ([32}, we require Q + R < (t — l)P. We proceed by defining Q(i) = I ((£" : e G £y,i) ; L) 
for all 2 < i < m — t + 1, and thus, Q = 2 t+1 Q(i). Similarly, define R(i) = / ((£" : e G Si) ;L) for all 

m — t + 2 < i < m, so that R = YHiLm-t +2 R{i)- The key ideas are the following: 

1) Expand each Q(i) using the chain rule into conditional mutual information terms of the form /(£";L|- ■ •), 
and further condition them on additional £? s appropriately. 

2) Allocate these conditional mutual information terms to appropriate R(i) s. 

3) Use the chain rule to sum each R(i) and the terms allocated to it to obtain P. 

Since the conditional mutual information term /(£"; L|- • •) can only increase upon further conditioning on additional 
£™s (by Lemma [22} . we have Q + R < (f — 1 )P as required. 

To proceed, we need to define a total ordering on the set S. We represent a hyperedge e as a /-tuple (life ■ ■ ■ it), 
with the ij s, 1 <3 <t, being the terminals which are contained in e, ordered according to i\ < fe < ... < i t . 
We will use *<’ to denote the lexicographic ordering of the f-tuples (hyperedges) in £. Furthermore, based on the 
ordering *<’, we index the hyperedges of £ as e^, 1 < j < satisfying e, < e :t iff i < j. As an example. Table 
Q] illustrates the indexing of the hyperedges in 


TABLE I: Indexing of the hyperedges in 


Hyperedge 

Index 

(123) 

1 

(124) 

2 

(125) 

3 

(134) 

4 

(135) 

5 

(145) 

6 

(234) 

7 

(235) 

8 

(245) 

9 

(345) 

10 


To proceed further, using the chain rule we expand each Q(i) into a sum of conditional mutual information terms 
of the form Q e = 7(£";L|(£~ : e < e, e G £)) as follows: 

Q(t)=/((C:eG^);L) 
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e&E^i 


E AC;L|(g:g<e,e£5)) 

(35) 



E Qe 

(36) 

i 



where (l35l > follows from Lemma 1221 Hence, we have Q < YYhL 2 Y2 e e£ Qe- ^ total of YYY= 




i,—i\ 
-1) 


fm— 

\t 


(?-■,■) - 


= (t — l)( m 7 1 ) Qe terms are generated. Next, each f?(i) is allocated (” l “ 1 ) terms Q ej , 1 < j < (™), 
satisfying * ^ e?. This allocation procedure is explained in detail below and is also formalized in Algorithm!]] We add 
a further conditioning on each Q ej allocated to R(i) to make it Q ej]i — /(£"t; L|(£™ : e < e.,-, e £ £), (£" : e £ £*)). 
Lemma l22l and the definition of Q ejli ensure that R{i ) + Qej < ii(z) + Qe jti = P- 

We now give a more detailed description of the allocation procedure. Construct a table T with rows indexed 
by i = 2,3,..., m — t + 1 and the columns indexed by j = 1, 2,..., (™). This table records the availability (for 
allocation) of a Q ej from the expansion of Q(i) in ( 1361 ). Initialize the table as follows: T(i,j) = 1 if a Q e . came 
from Q(i ) in (l36l >: else T(i,j) = 0. We carry out the allocation procedure on each R(i) in ascending order of i. 
The procedure of allocation is as follows. The idea is to allocate the necessary Q ej s to R{i) in ascending order 
of j. Once an i and ej are fixed, we test whether i (f e 7 is satisfied. If not, we increment j by 1. If i (f e :) is 
satisfied, then the availability of Q ej from Q[k), for all 2 < k < m — t + 1, is checked using the table T. The 
smallest k which satisfies T(fc,j) = 1 is chosen, and R(i) is allocated the Q ej coming from that Q(k). The table 
is then updated with T(k,j) = 0 to record that the Q t j from that Q(k) is no longer available for allocation. We 
then increment j by 1 and repeat the allocation procedure. Once all Q ej s with i £ ej have been allocated to R(i), 
we begin the allocation procedure for Ii(i + 1). We formally summarize this allocation procedure in Algorithm|T] 
The flow of Algorithm [I] for /\ 5 3 is illustrated in Example IA.1I further below. We now make the following 
claims: 


Claim 1. Algorithm [7] never terminates in ERROR. 

Claim 2. Algorithm\J\ exhausts all the Q e terms generated in (1361) . 

Claim [j] ensures that each R('i). for all m — t + 2 < i < m, is allocated all the Q e .s satisfying i (f ej. Therefore, 
using Claim [2] we have 


Q + R — ^ 


i=m— 1+2 


< E 


R(i) + Y ] Qe 

3 

+ E Q e ili 




i=m-t-\- 2 

This completes the proof of Lemma [7J modulo the proofs of Claims |T] and [2j which we give below. 
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Algorithm 1 

i = m — t + 2, j = 1. 

while i < m do 
if i ^ then 

k = 2. 

while k < to — t + 1 do 
if T(k,j) = 1 then 

Choose the coming from Q(fc) in (l36l >. 

Add the additional conditioning to make it Q ej|4 . 
Allocate this term to R(i). 

T(k,j)<r- 0. 

Break. 

end if 

if T(k,j) = 0 && k = m — t + 1 then 

Declare ERROR and halt, 
end if 
k t— k + 1. 

end while 
end if 

j j + 1 - 

if 3 ~ (?) + 1 t * ien 

i f— * + 1. 

j 1 - 

end if 
end while 


Proof of Claim [7} ERROR is possible only if for some m — t + 2<i<m and for some e satisfying i (f e, 
all the Q e terms generated in (l36l have already been allocated. This is impossible as there are always enough Q e s. 
To see this, suppose e contains t — l—p terminals from {m — t + 2, ..., m}, i.e., there are p R[i) s requiring an 
allocation of Q e . Since the hypergraph is /-uniform, e must contain p + 1 terminals from {1.2,..., m — / + 1}. 
This implies that the total number of Q e s generated in ( f36t is p. Therefore, we clearly have enough <5 e s for all 
R{i) s. ■ 

Proof of CIaim\2} As discussed earlier, the total number of Q e terms generated in (l36l > is (t 1) ("'{ 1 ). Also, 
the total number of Q e terms required by each R(i) is ("'f 1 ). Therefore, using Claim [Q the claim follows. ■ 

Example A.l. We illustrate how Algorithm^] proceeds for K 5 , 3 . Denote the hyperedges in £ using 3-tuples, i.e., 
the hyperedge containing terminals 1, 2 and 3 is (123). The indexing of £ is illustrated in Table\j\ So for this case 



form 


Q( 2) < I(^i 2 3 y,L) + I(^ m ;L\(C : e < (124)) + J(^ 12S) ;L|(£ : e < (125)) 

q { 3) < ■■ e < (134))+ i{^ y ,m n e ■■ e < (135)) 


(37) 


+ ^ 2 34);i|(ff : e < (234)) +I(^ 235 y,L\(C : e < (235)) 


(38) 
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Observe that R( 4) and R( 5) require four Q e terms each, and a total of eight Q e terms are in fact available from 
d37) and (138b . The table T is initialized as follows: 



1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

2 

1 

1 

1 

0 

0 

0 

0 

0 

0 

0 

3 

1 

0 

0 

1 

1 

0 

1 

1 

0 

0 


We will now illustrate a few of the allocations carried out by Algorithm [7] The algorithm begins with i = 4 and 
j = 1 and Q(i 23 ) needs to be allocated to i?(4). With k = 2 we see that T[k , 1) = 1, and hence we allocate <5( 12 3) 
coming from Q{2) to R( 4). The table T is then updated as below. 



1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

2 

0 

1 

1 

0 

0 

0 

0 

0 

0 

0 

3 

1 

0 

0 

1 

1 

0 

1 

1 

0 

0 


Next we will illustrate the allocation o/<5(i23) to R( 5), i.e., i = 5 and j = 1. The state of the table T just before 
this step is shown below. 



1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

2 

0 

1 

0 

0 

0 

0 

0 

0 

0 

0 

3 

1 

0 

0 

1 

0 

0 

1 

0 

0 

0 


Setting k = 2, we see that Tift , 1) = 0. So, we move to k = 3, for which T(k , 1) = 1. Hence the <5(i23) term 
coming from <5(3) is allocated to R( 5), and the table T is updated as below. 



1 

2 

3 

4 

J 

6 

7 

8 

9 

10 

2 

0 

1 

0 

0 

0 

0 

0 

0 

0 

0 

3 

0 

0 

0 

1 

0 

0 

1 

0 

0 

0 


We give one last example of an allocation. Observe that e = (234) is the largest (in terms of the ordering on £) 
hyperedge such that Q e needs to be allocated to Riff). We will now illustrate this step. This happens when i = 5 
and j = 7. The updated table T just before this step is shown below. 



1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

2 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

3 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 


With k = 2, we see that T(k,7) = 0. So set k = 3, and note that Tift, 7) = 1. So, we allocate to R( 5) the 
<5(234) term contributed by <5(3). Upon updating, the table T now has all entries to be 0. Observe that at this 
point no other allocation is required, as the Q ej s for j = 8, 9 and 10 are not required by Riff) since terminal 5 
is contained in each of eg,, eg and eio- Thus Algorithm^]] successfully terminates. Finally, we rewrite dm and (f38b 
with underbraces showing the R{i) term to which each Q e term was allocated by Algorithm [7] 
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Q( 2) < ■■ e < (124)) + /(£f 125) ;L|(e : e < (125)) 

'---' '-.-' --V-" 

fl(4) R( 5) R( 4) 

Q( 3) < ^ri 23 )^) + ^i34);^l(C : e < (134)) + /(£f 135) ;L|(e : e < (135)) 

'-v-' '-V-" '-,-" 

R( 5) R( 5) R( 4) 

+ I(^ 23 4 );L|(C : e < (234))+I($ 3B) ;L|(£ : e < (235)) 


(39) 


(40) 


R( 5) fl(4) 

It can be clearly seen from ( 1391 ) and S that R(i),i = 4, 5, have each been allocated with all Q e s with i f. e, 
and no Q e is left unallocated. 


Appendix B 

The proof of Lemma [9] 

Fix an n £ N and let {Tj, T 2 ,..., Tj.( n )} be a set of edge-disjoint spanning trees of Q in> of maximum cardinality 
(T <Jl '> := a(G (n> ). We will run Protocol 1 of l29l independently on each of the trees Tj, 1 < j < a { ' n) . For the sake 
of completeness, we describe the protocol below. 

Fix a spanning tree Tj , 1 < j < o^ n \ and fix a specific edge e from the set of edges of Tj. Define j(Tjj := £ e , 
where, as usual, f , denotes the random variable associated with the edge e. For any vertex i € M, denote by dj (%) 
the degree of the vertex i in the spanning tree Tj. For any vertex i satisfying dj(i) > without loss of generality 
we label the edges of Tj incident on it by e(l), e(2),..., e(d), where d = dj(i). The communication from terminal 
i derived from Tj is F Tj {i) ■= (£ e (i) © £ e ( 2 ),£ e ( 2 ) © £ e ( 3 ), • ■ ■ ,£ e (d-i) © £,e(d)), where © denotes the modulo-2 
sum. Let = (Fj^.(ljjFj^.(2),... jFj^m)), and let Jj-, denote the range of Fyv. It is not hard to check the 
following facts: Firstly, every terminal can recover £(Tjj from Fjv. Secondly, J(Fjv; £(Tjj) = 0. Thirdly, 

m m 

loglJ^ |= ^^[dj(i) ~ 1] = dj(i) — m = 2(to — 1) — m = m — 2, (41) 

i— 1 2—1 

where we have used the fact that the number of edges in any spanning tree is m — 1. 

To complete the proof, we show that this protocol has communication rate (m — 2)cf(G) and achieves SK capacity. 
Denote the entire communication (Fx, , F T2 ..... F T (n) ) by F and denote its range by T. Set K = (£(Tj), £(T 2 ),..., 
^(Tjcn))). Noting that the spanning trees Tj, 1 < j < <j (n> are edge-disjoint, we have, using the independence of 
the random variables associated with the edges in £("), TT(K) = o-W, log|.F|= (to - 2)cr( n ) and T(K; F) = 0. 
Therefore, K is a secret key satisfying lim —TT(K) = o(Q), and hence the protocol is capacity-achieving. The 

n—f oo Tl 

protocol used a communication rate of (m — 2)a(Q) and thus Rsk < (m — 2)a(Q). 
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Appendix C 

An example of a non-A S k-maximal strict Type S source 

In this section we provide an example of a source which is strict Type S and yet is non f?sK-maximal. To construct 
such a source we need to define “clubbing together” of independent multiterminal sources on M. Formally, for 
independent sources Xff and Yjfo, define the clubbed source Z’J^ as Zf = {X' 1 , Yf), for all i £ A4. 11^- and lly 
are defined to be the sets of partitions of N4 which are minimizers of (0 for X’f and Y£ t , respectively. We will 
denote the communication complexity (resp. minimum rate of communication for omniscience) for the individual 
sources XX and YX by i?sK x ar *d Rsk y ( res P- Rco x and Rco Y ) respectively. The clubbed source satisfies the 
following result. 

Proposition 24. Consider two independent multitenninal sources X’jf and YJ^ and the corresponding clubbed 
source ZThen we have 

I(Z m )>I(X m )+I(Y m ) (42) 


with equality iff II ^ P| Ily ^ 0. 

Proof: Consider any partition V = {A 1; A 2 , ■ ■ ■, Af} of A4. We have 


A (V) = 


1 


1 

1 


^2,H(Z Ai ) - H{Z m ) 
.2 = 1 
' t 

Y,H{X Ai ) - H{X m ) 


1 


J2H(Y Ai )-H(Y M ) 


(43) 


Ay(7>) 


A X (P) 

where (j43j follows from the independence of XX and YX. 

Thus we have from d43l ) that minp A{V) > minp AxifP) + min-p A Y {V) with equality iff V £ IT^ P| lly . The 
result follows. ■ 

We conclude the section by constructing a non Ask- maximal source with S being the unique minimizer in 0. 


Example C.l. Consider a clubbed source Z'f^ = (XJf, Yjfa ), where X’f is the source described in Example 
I A' /I and YJ^ corresponds to the PIN model on a k-regular, k-edge-connected graph. By Corollary \20\ we have 

n * Y = {5}. 

Since IT^- f) Ily = {5}, using Proposition 1241 we have SK capacity I(Zm) = I{Xm) +/(Fm). By independently 
running protocols achieving Rsk x an d Rsk y , an SK of rate I(Xm) +/(Tm), i.e., SK capacity can be achieved. 
The communication rate used in independently running the two protocols is Rsk x + Rsk y - Now, 0 and the 
independence of X^ and YJ^ show that Rco = Rco x + Rco Y - On the other hand, it is shown in Example I A.' / I 
that Rsk x < Rco x ■ Therefore, we have 


Rsk < R’Sk x + Rsk y < Rco x + Rco y — Rco- 
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Appendix D 

A non-strict Type S source requiring omnivocalitv^ 

For m> 4, consider the multigraph Q = (V, £) with V = A4 as usual. The multiset £ consists of to — 2 copies 
of the edges {i, i + 1} for 1 < * < to — 1, and to — 1 copies of the edge {1, to}. Using techniques derived in [| 6 ] 
Theorem 5], it can be shown that for the PIN model defined on Q , we have = to — 1. We will show below 

that this PIN model is non-strict Type S, and yet it requires omnivocality to achieve SK capacity. 

We first show that the source is not strict Type S. Simple computations reveal the following facts: H(Xi ) = 
2(to - 2), for all i € {2,3,..., to — 1}, H{X 1 ) = H(X m ) = 2(to - 2) + 1, H(X 1 ,X m ) = 3(to - 2) + 1 and 
H(Xm) = rn{m — 2) + 1. Using these it is easy to check that A(«S) = to — 1, and moreover, A(V*) = m — 1, 
where V* = {{1, to}, {2}, {3},..., {m — 1}}. Hence the source X^ is Type S, but not strict Type S. 

Now, we show that this source requires omnivocality to achieve SK capacity. As in the proof of Theorem [10] 
we make use of Theorem fl2l and show that for any T C M. with \T\ = m — 1, we have ItPTm) < I(X/k). Let 
T = A4 \ {u} with u E M.. Using symmetry it is enough to show It(X_m) < \{Xm) for the following two cases: 

Case I: u = 1. 

Case II: u S {2, 3,..., to — 2}. 

In both cases we will derive lower bounds on and hence obtain an upper bound on It(Xm)- First we 

deal with Case I with T = {2,3,..., to}. In this case, H(Xt) = m{m — 2) + 1. Also, any point in 7 Zt satisfies 
the following constraints from (l 2 TI> : 

m— 1 

*3, • • ■ , X m -l\Xm) = (m - 2) 2 

i =2 

Rm > H{X m |X 2 , X 3 , . . . , X ro _i) = TO — 1 
Using the above constraints, we have R,j!' u ^ > (to — 1) + (to — 2) 2 . Thus, 

I t{X m ) = H(X t ) - i?r min) < to (to - 2 ) + 1 - (to - 1 ) - (to - 2) 2 = to - 2 < to - 1 = \{X M ). (44) 

Hence, SK capacity cannot be achieved with terminal 1 remaining silent. 

Next we deal with Case II. Assume an arbitrary u £ {2,3,..., to — 2} is silent. As in Case I, we have H(Xt) = 
m(m — 2 ) + 1 . We see from (| 2 TT > that the rate region 7 Zt is defined in part by the following constraints: 

If—1 

Ri + Rm > H{X\, X 2 ,..., X u _i,X m |X n+ i,X u+2 , • • • 5 Xm-i) = u(m — 2) + 1 

2=1 


8 This example is a contribution of Chan et al. See 02. 
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m —1 

> H(X u+ i, X u+2 ,... ,X m _i|Xi,X 2 ,... ,X„_i,X m ) = (m — u — 1 )(to — 2) 

2 = 14+1 

The above constraints imply that R^ nin ' ) > (m — 2)(m — 1) + 1 = (m — 2) 2 + (m — 1). Hence, as in (l44l >. we have 
I t(X m ) < I(X M ). 

Therefore, the source X'C cannot attain SK capacity without using omnivocality. 


Appendix E 

Proofs of Corollaries of Proposition fl6l 

In this section, we give the proofs of Corollaries Q/7] [19] [20] and [21] We start with the corollary stating that 
isentropic random variables form a Type S source. 

Proof of Corollary \T7\ For a partition V of M. with \'P\ > 2, let us define 


m ± = h(x m )-a(v). 

1 1 1 Aev 

By virtue of Proposition [l6l al. we need to show that S(Vb) < <5(«S) for all Bg!l. 

For isentropic random variables, the quantity H(Xb\X B c), for any B C M, depends only on the cardinality of 
B. Thus, for 1 < k < m, define g(k) = also, set <?(0) = 0. With this, we can write 


6(Vb) 


— H(X B \X B c) + Y / H(X M \ {l} \X i ) 
' ' L ieB 

|^|5(l s l) +9(m- 1) 


Also, note that S(S) = ~ 1)- Thus, we have to show that f° r all B £ Q. We accomplish 

this by proving that for isentropic random variables, the function g(k)/k is non-decreasing in k, or equivalently, 
kg{k + 1) — (k + 1 )g(k) is always non-negative. Indeed, we have g(k + 1) = H(Xm) ~ H(X^ k+2 m y) and 
g(k) = H{X M ) - H{X {k+1 _ m} ) = g{k + 1) - H(X k+1 |X {fc+2 ,..., m} ). Thus, 


kg{k + 1) - (fc + 1 )g(k) = (k + 1) H(X k+ i\X {k+2 ,„^ m }) - g(k + 1). 


It is straightforward to show that the above quantity is non-negative: 


g{k + 1) — H(X {1 i 2 ,...,fc+l}+ { fc+ 2 ,...,m } ) 

fc+i 

<Y, H ( X i\ X {k+2,...,m}) 

2=1 

= (k + l)H(X k+ i\X{ k+2 ^ m }), 

since, for 1 < i < k + 1, Tf(X i |X {fc+2i ... jrn }) = iT(X fc+ i|X {fe+2j ... jm }) by isentropy. ■ 

Next, we prove Corollary [19] which states that the PIN model on K rn t is strict Type S. 
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Proof of Corollary I / ( )\ Fix a set B C with \B\ < m — 2. We will use Corollary [l8l to show that the PIN 
model on K rn t is strict Type S. First we make the observation that \£\ = (”') for the case of K rnf . To proceed, 
we need to evaluate the expression ( e ) — !]■ We first consider the case when \B\ > t. The fact that If 

is at least t implies that there are (^) hyperedges which contain only elements of B, i.e., intersect the partition 
Vb in t parts. Now fix an i with 1 < i < t — 1. There are hyperedges containing any i terminals 

from B and any t — i terminals from M\B, i.e., intersecting the partition Vb in ft + 1) parts. Any remaining 
hyperedge will contain terminals from B c only and hence will intersect the partition Vb in only one part. As a 

result, we have E«*ft (e) -!] = ((- l)('f) +£ti ('?) (ftjf')< = ft !)('?') + |B|£t! Cfft'H’VJf')• 

Observe that ( m r^) is equal to (^i^ 1 ) subtracted from the coefficient of a/ -1 in the expansion of 

(1 + = (1 + Therefore, ('fl= (T-^i 1 ) - an d hence, for 

\B\ > t, we have 


5> s (e)-l] = |S| 

eG5 


m — 1 
t - 1 


+ {t ~ 1) 


- \B\ 


B |-1 

t - 1 


= \B\ 


m — 1 
t - 1 


\B\ 

t 


(45) 


Next, we turn our attention to the case of \B\ < t. In this case there are no hyperedges containing only terminals 
in B. For any i satisfying 1 < i < \B\, there exist hyperedges intersecting the partition in (i + 1) 

parts, as in the earlier case. However, all the remaining hyperedges are contained in B c only, and hence play no 
part in the expression egU Vtfe) — !]■ Thus, noting | If < t, we have as in the previous case. 



We will now apply Corollary |T8] When ] If > t, using (l45l > we have 


(46) 


1 

W\ 


e££ 


(t-m 

TO — 1 


/to — lA 1 t — 1 /to\ 

Vf-iJ \B\ V t ) m-l\t) 

1 (to — 1)! t to! f\B\— 1\ 

t (to — t)! (f — 1)! ft — 2)! (to —f)! (to — 1) \t — 1/ 

1 (to — 1 )! ft m \ f\B\ — 1\ 

t ft — 2)! (to — f)! \t — 1 to —1/ \ t — 1 / 

i [(rO - Cf^ 1 )] 


(47) 


> 0 


(48) 


where (l48l > holds as \B\ < to — 2. For the case of \B\ < t, we have 


1 

W\ 


e££ 


(t-m 

TO — 1 


/to — 1\ 

t 1 1 

( m\ 

U-i ) 

TO — 1 

Kt 


1 \fm-2Y 

t Kt-J. 


> 0 


(49) 
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where ( 149[ i follows from ( 1971 and ( 198 b . Thus, using Corollary [18] we have the result. ■ 

Next up is the proof of Corollary [20] which states that PIN models on A: -regular, fc-edge-connected graphs are 
strict Type S. 

Proof of Corollary 120] Consider a k -regular, /,'-edge-connected graph Q = (V, £). Using fc-regularity, we 
have \£\ = ^. As usual, we fix a B C M satisfying 1 < \B\ < m — 2 and proceed to evaluate the expression 
See£ [-Ps(e) — 1]. Observe that for an ordinary graph, the sum ^ egf [-Ps(e) — 1] = |£p B |, where &p n is the set 
of edges whose end-points lie in different cells of the partition V B - To proceed, we perform a graph contraction 
operation along the partition Vb on Q to get a new graph Q' = (]/, £'). More precisely, we take V' = /i (J { IV } 
and £' = £ £ : i,j £ 73 1 |J j{f3 c ,i} : 3{«, j} £ £, i £ B,j £ 73 c |, so that \£p B \ = \£'\. Now, the degree 

of every v £ V' satisfying v £ B is k, whereas by the fc-edge connectivity the degree of B c in Q' is at least k. 


Hence, we have \£p B \ = \£'\ > . Therefore, 


isrD^W-i]- 




|£| _ 1 if | km 

rn — 1 \B\ ] Vb1 2(m — 1) 


> - 

“ 2 

> 0 


\B\+1 

\B\ 


TO — 1 


(50) 


where, | |5()1 > follows from the fact that \B\ < m — 2. Using Corollary [18] we have the result. ■ 

Finally, we give the proof of Corollary [21] which states that a PIN model obtained from a Steiner triple system 
(STS) is strict Type S. Recall that Hsts = (M, STS(A4)) is a 3-uniform hypergraph obtained from an STS on M. 

Proof of Corollary 1271 We will use Proposition [l6l to get the result. First, we calculate // (X, ) for any 
i £ M. Observe that II (X,) counts the number of elements of STS (Ml) containing i. Now, fixing i £ XI, 
there are to — 1 pairs of elements from XI which contain i. Any set in STS (XI) containing i contains two 
such pairs. Further, by the definition of STS, we know that any such pair is a subset of exactly one element of 
STS(X(). Hence, we have H(Xi) = TO ~ I . Next, we evaluate H(Xj^) = |STS(Xf)|. Note that there are 
pairs of elements in XI, each pair being a subset of exactly one element of STS (XI). Also, each element of 
STS(Xf) contains three such pairs. Therefore, we have H(Xm) = |STS(Xf)|= . Using these facts, we 


t(jn— 1 ) 


m(m— 1 ) 
6 " 


3 * 


have A(S) = 

Now, fix a B C Xf with 1 < \B\ < m — 2 and evaluate A (Vb)- We consider two cases: 1 < \B\ < m — 3 and 
|i?| = to — 2. First, consider 1 < \B\ < m — 3. To proceed, we calculate a lower bound on H(Xa) for any A C X(. 
Observe that H(Xa ) counts the number of sets in STS(Xf) which contain at least one element from A. We will 
calculate an upper bound on the number of elements of STS (XT) containing only elements of A c , and subtract it from 
|STS(X()| to get the required lower bound. The total number of pairs formed by the elements of A c is ( m ^'T). 
Again, as each element of STS(Xf) contains 3 pairs, the required upper bound is |^ ( m ~l j4 l)X~l j4 l~ 1 ) j_ xhus, 
we have H(X A ) > |STS(Xf)|- (m ~ |A|)( ”~ |A| " 1) . So, H(X B c) > |STS(X<)|- |B|(l f |-1) , and hence, A{V B ) > 
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ik 


\B\(m-l) _ |B|(|B|-1) 
2 6 


= 1 . Therefore, 


A (V B ) - A(S) > 


to — 1 \B\ — \ to 


1, 


= -[m-2-|B|; 
> 0 


(51) 


where, (ED follows from the fact that \B\ < m — 2. 

To complete the proof, we show that A(Vb) — A(«S) > 0 is satisfied when \B\ = m — 2. To this end, we 
fix a B = JA \ {*, j}, where i,j G M. We will exactly calculate H{Xb <^), which is the number of elements of 
STS (Ad) containing at least one of i and j. It has been shown earlier that i and j each occur in exactly m ~ 1 
elements, and they occur together exactly once. Therefore, we have H(Xb^) = to — 2, and hence, A (Vb) = 

. Thus, 


l 

m—2 


(m-2Km-l) + ( m _ 2 ) _ m(m-l) 

A (V B ) - A(5) = 


1 


TO — 2 

m — 3 
3(to — 2) 


(to — 2)(to — 1) to(to-I)' 

-1- (to — 2)--- 


TO 

y 


> 0 


(52) 


where 


follows from the fact that m > 3. 
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